Terminology

These topics are intended to be a quick reference to frequently used Infor Security and Resource Management terminology. You will encounter these terms as you read other sections of the document.

Actor

In Infor Landmark Technology, a user is called an actor. If you are adding users through Infor Security Services (federated systems), you might have to add both an LSF resource (or user) and a Landmark actor.

Agent

In Infor Security, an agent is a special type of service. See "Service" below.

Attributes

In Resource Management, attributes are descriptive properties of resources. There can be a name or a Yes/No flag or whatever information is applicable to that user. When you add or modify a resource, a list of attributes that can be applied to the resource appears.

For upgrading customers, data about users that, in Release 8.0, was stored in such locations as User Personal Profile and Web Name (RD30) are now attributes in Resource Management.

You add or update user attributes through the user LDAP record. This can be done when the user is initially added to the system or any time.

Auditing

The term auditing is used for two purposes.

You can audit changes made to your security system setup. (You can tell when you view a rule whether it has been altered since it was originally created. You can also run a report to see what was changed and who changed it.)

In the database tier, auditing refers to tracking user access of the database by user ID.

Authentication and authorization

Authentication and authorization have different meaning in Infor Security.

Authentication occurs when users present their credentials for access to a system. Infor Security provides multiple options for configuring authentication. More information is available in the document, Infor Lawson 10 Authentication Configuration Guide.

In Infor Security, authorization is the set of rules and roles that determines specific access for each application and associated data. These rules and roles provide the nuances in security access. For example, a user can have access to an application they or they needs to update their personal data but cannot access other users' information within the same application. might be authenticated to access a system, for It is not the same as authentication.

Authentication service (primary)

When two systems are federated (for example, Infor Lawson System Foundation and Infor Landmark Technology), one system is primary for user authentication. The primary service is the system that authenticates users for access to both systems.

Federated configuration requires Infor Security Services (ISS). More information about ISS and about authentication are in these documents:

  • Infor Security Services Configuration Guide

  • Infor Lawson 10 Authentication Configuration Guide

Company and Process Level security

Company and Process Level security is an Infor Lawson term for a type of security that has been available for several releases and which is compatible with Infor Security. In previous releases, this type of security was referred to as "data security" or, in the case of the Human Resources (HR) application, "900 API security," and "HR security."

Company and Process Level security makes use of a set of pre-defined conditions to restrict user access. For example, in the HR application, customers define Companies (groups or business units) and Process Levels (customer-defined level, for example, division or location). Users can access data only in the Company and Process Level to which they have been assigned.

Not all applications call the filters "Company" and "Process Level," but applications that have implemented this type of security work in similar ways. For example, Accounts Payable calls these attributes Company and Activity Level. Other applications use other terms.

Data Source

Infor Security uses the term "data source" to refer to a product line, data area, or data ID.

Directory

In Resource Management (and LDAP directories in general), a directory is the term for the information repository itself.

Encryption

User data is stored in encrypted files. Encryption is provided by Bouncy Castle.

Entry

In Resource Management (and LDAP directories in general), the information being stored about a resource is called an entry. (This is equivalent to "record" in database terms although LDAPs technically are structured much differently from RDBMS systems.)

Federation

In Infor Security is a configuration when multiple Infor Lawson systems (for example, Infor Lawson System Foundation and Infor Landmark Technology) share the user repository so that users who have to can access both LSF- and Landmark-based applications.

Customers can decide which system will be the "primary authentication service," the system where user authentication occurs.

Federated configuration requires Infor Security Services (ISS). More information about ISS and about authentication are in these documents:

  • Infor Security Services Configuration Guide

  • Infor Lawson 10 Authentication Configuration Guide

Identity

In Infor Security, an identity is a "passport" to an Infor Lawson component. Users might have multiple identities for components that require authentication. For example, a user might have one identity for the , another for accessing the database, and another for self-service applications. The single sign-on component makes it unnecessary for users to sign-in again. For administrators, part of setting up a user means creating identities for the user on the services they or they will require.

Inheritance

Inheritance is a property of an object in Resource Management that means its attributes are based on another object. See "role" for an example of how inheritance works.

Infor Security Administrator

The Infor Security Administrator is the main user interface for Infor Security. It is the tool for writing rules, creating security classes, and for administering security profiles. It is used for performing a large number of user maintenance operations.

LDAP Directory

LDAP is an acronym for Lightweight Data Access Protocol, the industry-standard protocol for globally interesting information. Resource Management is Infor Lawson's interface for a third-party LDAP directory product that you purchased either to use Infor Security or were already using for managing email or other resources.

Note: Infor Security and Resource Management are Infor Lawson user interfaces for updating LDAP data. Do not use LDAP built-in tools (that is, tools delivered with your LDAP) to view or make changes to your Infor Lawson data. (If you plan to modify Infor Lawson schema, or data structure, use Infor Lawson Schema Editor.)

Mass Assignment of Attributes

Mass assigning of attributes means updating the LDAP entry for a group of users at one time. You can do this if you have to add or change an attribute for a user.

Object

People or things that you secure with Infor Security and add to the system through Resource Management are considered objects. See "securable object" later in the table.

Profile

You can think of a profile as a container for the access rights that have been defined for a data source used in one instance of the Infor Lawson Environment.

Typically, when you set up Infor Security, you create a profile for an application data source, that is, the data that users access when they perform transactions and run reports. You also configure, per your needs, Infor Lawson-delivered profiles (ENV, GEN, and LOGAN) that contain Infor Lawson metadata and other system information.

Security administrators have special profiles because their access rights must be "above" the access that other users have.

Resource (People or Thing)

In the Resource Management component of Infor Security, a resource is a person or thing entry that is being maintained in Resource Management. You have to add People and Thing resources to the RM directory. People resources are people, most likely employees of your company. Some, but not all, are Infor Lawson users. For example, suppose your company has one thousand employees and only one hundred of them use the system to perform their jobs. You can maintain information about all one thousand employees in the Resource Management repository. The users will require additional information in their directory entries but all employees can be managed in a single directory.

Thing resources are non-person resources that you have to secure access to. These could be, for example, printers and job queues.

Resource Management Administrator

The Resource Management Administrator is a desktop tool that you will use when you want to add or make changes to information about resources that is stored in the LDAP directory. There is some overlap between tasks you perform with the Resource Management Administrator and those you perform with the Security Administrator. Generally speaking, you use the Security Administrator for adding and maintaining users and for assigning security access. The Resource Management Administrator is for adding and maintaining roles and groups.

RMID

RMID is the term for the unique identifier that each user must have. All users must have an RMID. The RMID is typically the identifier that is associated with the SSOP identity and which a user logs into Lawson Portal (although it does not have to be).

The Security and Resource Management Administrators sometimes use the term RDID; RMID and RDID are interchangeable terms. The screen for adding a new user to Resource Management has an attribute called ID. This attribute contains the RMID.

Roles

In the Resource Management system, a role is a set of access rights that a user has to the system. You create roles based on the jobs that users perform at your site. You assign security classes (containers of rules) to roles and then assign roles to users. Theirs is a much more efficient way to assign access rights to users, particularly in systems with many users.

Rules

A rule describes a specific access right to the system. Some examples:

  • Access to the Employee form (HR11) is granted with no restrictions

  • Access to HR11 is granted for viewing but not updating.

  • Access to HR11 is granted for viewing and updating.

  • Access to HR11 is granted but the SALARY field is not viewable and cannot be changed.

  • Access to HR11 is granted for viewing and updating but no ability to access drill fields.

Schema and Schema Editor

In general, schema is the structure of a data repository, similar to metadata or "data that describes data."

Data that resides in Infor Security / Resource Management has a schema that is defined by Infor Lawson. This includes the types of resources and other objects that are stored in Resource Management. Depending on how you choose to use Resource Management you might not maintain some data for which Infor Lawson provides attributes. Or, you might choose to add attributes that Infor Lawson does not deliver. To make these types of changes you would use the Infor Lawson Schema Editor.

Note: Do not use the built-in tools delivered with your LDAP directory to maintain Infor Lawson data. Always use the Resource Management or Schema Editor desktop tools.

Securable Object

When you create a security class, a securable object is the item that you want to secure. It can be a form, a report, a table, a data source, or any other Infor Lawson object. When you write security rules, you apply them to a particular object.

Securable Type

A securable type is a type of object that will be secured. When you create rules, objects to write rules against are organized by type (for example, online, batch, report). You use object type to locate an object.

For administrative profiles (profiles that are used for securing security), you can secure objects by type. For example, if you didn't want a sub-administrator to secure dataf sources, you could write a rule that prevents sub-administrators from working with the data source securable type.

Security Administrators

Security administrators are the personnel at your site, typically in your IS department, who manage security. They are responsible for adding and deleting users, creating rules and security classes, and assigning them to users and roles.

With Infor Security, you can set up your system so that some administrators have access to all of security (super-administrators) and some can only administer a part of the system (sub-administrators). An example of something you might want to do: Set up your system so that a sub-administrator can assign users to security classes but cannot create security classes.

Security Class

A security class is a group of rules that provides access to a specific task. For example, you might create a security class called, Pay Vendor Invoices. Their class would give access to the data source, forms, reports, drill fields, and so on, that a user needs to successfully perform their task. (Their security class would, in turn, be assigned to all roles that needed to pay vendor invoices, for example, AP Clerk and AP Manager.)

Service (and Agent)

In Infor Security, a component of the Infor Lawson system that requires authentication has a service associated with it. (Some services are delivered by Infor Lawson; you must create or configure others as described by your Infor Lawson documentation.) Among other things, the service stores users' credentials for the Infor Lawson component. When a user attempts to launch the component, the component's service authenticates the user behind the scenes. If the user is known by the service, the user can use it without having to log in again.

Here's an example: Ted, a billing clerk, has access to Lawson Portal through which they navigates the billing applications that they uses to perform their job. Ted's company has chosen to audit all attempts to access the DB2 database that stores application data. For auditing to take place, a database service must exist. Ted must have an identity on the database service so that their attempts to access the DB2 database are recorded. (Ted's identity is linked to the database service when they are added as a user to the Infor Lawson system.) The result is that when Ted queries and updates the database, their actions are logged. However, Ted did not have to log into the Infor Lawson system a second time for that to happen. Behind the scenes the Lawson Portal service (SSOP) and database service communicated with each other and Ted authenticated seamlessly.

An agent is a special kind of service that allows for an extra level of security because it can be tied to a product line. That means that the agent will only check user's credentials on a particular data source and all other data sources are prohibited. Infor Lawson uses the agent type of service for Self-Service applications. You create an agent for each Self-Service application you have on site.

Session Management

Session management allows for time-out of users' sessions in Infor Lawson components where it is applicable. For example, you can set up sessions so that if a user does not make a keystroke within a certain number of minutes, the session times out.